DMC Cisco Networking Academy

Chapter 5

Troubleshooting TCP/IP

In This Chapter� Troubleshooting TCP/IP in Windows 2000 Server

� TCP/IP troubleshooting steps

� Defining which is the best TCP/IP troubleshooting tool to solve your problem

� Mastering basic TCP/IP utilities

Troubleshooting is, it seems, an exercise in matrix mathematics. That is,we use a variety of approaches and influences to successfully solve our

problems, almost in a mental columns-and-rows format. These approachesmay include structured methodologies, inductive and deductive reasoning,common sense, experience, and luck. And this is what troubleshooting is made of.

Troubleshooting TCP/IP problems is really no different from troubleshootingother Windows 2000 Server problems mentioned in this book, such as instal-lation failures described in Chapter 2. Needless to say, Windows 2000 Serveroffers several TCP/IP-related tools and utilities to assist us, but more on thespecifics in a moment.

TCP/IP Troubleshooting BasicsThe goal in TCP/IP troubleshooting is very simple: fix the problem. Too often, itis easy to become overly concerned about why something happened instead ofjust fixing the problem. And by fixing the problem, I mean cost effectively.

1. Be cost effective. Don’t forget that several hours’ worth of MCSE-levelconsulting could more than pay for the additional bandwidth that mayeasily solve your TCP/IP WAN-related problem. Don’t overlook such aneasy fix when struggling to make a WAN connection between sites utilizingWindows 2000 Server. Too little bandwidth is typically the result of beingpenny wise and pound foolish. Oh, and it also causes nasty timeoutconditions that can wreak havoc on your TCP/IP-based network. And if you want to make a complex database unhappy, just give it too littlebandwidth on a TCP/IP-based WAN.

4620-1 ch05.f.qc 10/28/99 12:00 PM Page 157

2. Experience is the best teacher. One of the more challenging corporatetraining assignments I frequently face is when I’m asked to deliver acustom TCP/IP and Windows 2000 Server troubleshooting session. The challenge is this: I’m not sure I can teach troubleshooting. It’s really just something you do and you’re ultimately skilled at it or not. TCP/IP troubleshooting ability is heavily based on experience. The good news is that the more time on the computer you put in (“stick time”), the better you will do.

3. Use inductive reasoning. Microsoft officially recommends pursuing aTCP/IP troubleshooting strategy of working from the bottom up, such as starting at the Physical Layer of the Open Standards Interconnections(OSI) model and proceeding to look at more broader influences such asthe applications you are running. This enables you to isolate a problem.Such an approach is also known as induction or inductive reasoning,which Webster’s New World Dictionary defines as “a bringing forward of separate facts or instances, esp. so as to prove a general statement.”This mindset is largely the basis for this chapter, as individual tools andutilities that in reality would be used independently to solve a largerTCP/IP-related problem will be discussed. That is, you would start witha specific tool to solve a discrete problem and, as troubleshooting bothgoes and grows, resolve more global TCP/IP issues.

In contrast, deductive reasoning is really better suited for the Windows2000 Server developers in feature-set brainstorming sessions where thewhole idea is to come up with great new features and then work down tothe implementation specifics. Webster’s defines deduction as “Logic — theact or process of deducing; reasoning from a known principle to anunknown, from a general to the specific.”

4. Use the in-house help. Many wonderful tools are included in Windows 2000Server for use in your TCP/IP troubleshooting efforts. These include nativecommands and utilities such as IPConfig and ping that will be reviewed inthis chapter. And given that Windows 2000 Server is often bundled with thefull version of BackOffice, don’t forget the full-featured version of NetworkMonitor included in Microsoft Systems Management Server (SMS). You willrecall that tools such as Network Monitor were discussed at length in PartVI of this book, “Optimizing and Troubleshooting Windows 2000 Server.”

5. Don’t forget third-party tools. Not surprisingly, a wide range of third-partyTCP/IP troubleshooting tools is available to assist you. One favorite, which will be discussed in Chapter 9, is PingPlotter, a low-cost sharewareapplication from Richard Ness at Nessoft (www.nesssoft.com). PingPlotteris included on the CD-ROM that accompanies this book. This applicationtests ping connectivity and measures ping performance across WAN hops.

6. Always reboot. Last, but certainly not least, you must always reboot whenmodifying anything related to the TCP/IP protocol stack in Windows 2000Server. Even though the “stack” has improved dramatically, I still don’ttrust it completely. In my eyes, there is nothing like a complete rebootwhere you shut the computer down for 15 seconds after you’ve modified

158 Part II: TCP/IP■ ■

4620-1 ch05.f.qc 10/28/99 12:00 PM Page 158

any TCP/IP protocol settings. And it’s an easy lesson to overlook! Here’swhy. Let’s assume you switch your IP address from a dynamic DHCP-assigned address to a static IP address. So far, so good. But if at thismoment, you run the IPConfig command that reports basic TCP/IPconfiguration information (discussed later in this chapter), you will note that the TCP/IP configuration information reports the new, updated IP address as if it were properly bound to the network adapter. Don’t youbelieve it for a minute! Always reboot.

In fact, if you want my $59.95’s worth, I’d highly recommend you follow StepZero — that is to completely cold-reboot your Windows 2000 Server prior toconcluding you have any problems with TCP/IP. Don’t ask me why, but I’veseen many Windows 2000 Server TCP/IP-related gremlins disappear this way.And that’s something you won’t read about in the official MCSE study guides.Trust me.

First Step: Ask the Basic QuestionsSo where do you go from here? Remember that troubleshooting any problem isa function of asking enough questions. Here is a short list of questions you canstart your TCP/IP troubleshooting journey with. It is by no means inclusive.

■ What’s working?

■ What’s not working?

■ What is the relationship between the things that work and the things that don’t?

■ Did the things that don’t work now ever work on this computer or network?

■ If the answer is yes, what has changed since they last worked?

You can ask more specific questions in your quest to resolve your TCP/IP problems. These questions are presented and answered at the end of the chapter.

Second Step: Define the ToolsHaving completed this first step, you’re ready to begin troubleshootingTCP/IP in Windows 2000 Server. Table 5-1 provides a list of TCP/IP diagnosticutilities and troubleshooting tools, many of which will be discussed further inthis chapter.

Chapter 5: Troubleshooting TCP/IP 159■ ■

4620-1 ch05.f.qc 10/28/99 12:00 PM Page 159

Table 5-1 Windows 2000 Server TCP/IP Troubleshooting Tools andUtilities

Utility/Tool Description

ARP Address Resolution Protocol. Enables you to view localcomputer ARP table entries to detect invalid entries.

Hostname Typing this at the command line returns the current hostname of the local computer.

IPConfig Current TCP/IP information is displayed. Command lineswitches enable you to release and/or renew your IPaddress.

Nbtstat Connections using NetBIOS over TCP/IP and protocolstatistics are displayed. The LMHOSTS cache is updated(purged and reloaded).

Netstat Active TCP/IP connections are displayed in addition toTCP/IP statistics.

Nslookup Internet domain name servers are queried and recorded;domain host aliases, domain host services, and operatingsystem information is returned.

Ping Packet Internet Gopher. Tests connections and verifiesconfigurations.

Route Displays, prints, or modifies a local routing table.

Tracert Checks the route from the local to a remote system.

FTP File Transfer Protocol. This tool is used for two-way filetransfers between hosts.

TFTP Trivial File Transfer Protocol. Provides another form of two-way file transfer between hosts. Typically used when onehost demands TFTP. I’ve used this in conjunction withrouter configuration and troubleshooting scenarios.

Telnet Basic terminal emulation program that establishes asession with another TCP/IP host running a Telnet host.

RCP Remote Copy Protocol. Enables you to copy files betweenTCP/IP-based hosts.

RSH Remote Shell. Enables you to be authenticated by and runUNIX commands on a remote UNIX host.

Rexec Enables you to be authenticated by and run processes on aremote computer.

Finger System information is retrieved from a remote computerrunning TCP/IP and supporting the Finger command.

Microsoft Internet Explorer Browser used for locating information and retrievingresources from the Internet.


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 160

Two important TCP/IP-related “tools” that are missing in Windows 2000 Serverare native NFS client support and the whois command. For NFS client support,as discussed in Part VI of this book, “Optimizing and Troubleshooting Windows2000 Server,” check with NetManage or WRQ, two independent softwarevendors that provide NFS client solutions for Windows 2000 Server.

Typing whois at the Windows 2000 Server command line results in thefollowing error message:

‘whois’ is not recognized as an internal or external command, operableprogram or batch file.

In a moment, in the Telnet discussion, I will share a secret for using the whoiscommand with Windows 2000 Server.

Before going any further, it is important to establish your troubleshootingparadigm. Consider the following as you work with TCP/IP and read theremainder of this chapter. The following are considered TCP/IP diagnosticcommands: ARP, hostname, IPConfig, nbtstat, netstat, ping, route, andtracert. These are considered connectivity commands: Finger, FTP, RCP,rexec, RSH, Telnet, and TFTP.

Did you know that FTP, rexec, and Telnet not only use but also rely on clear-text passwords in a Windows 2000 scenario? That’s a huge departure fromWindows 2000 Server’s basic reliance on encrypted password-based security.Be sure to think about this little fact the next time you use these tools.

Third Step: Use the ToolsNow the details. Having read about the TCP/IP troubleshooting tools andutilities found in Windows 2000 Server, you’re now ready to learn the finerpoints. This section includes an array of TCP/IP tools including:


■ IPConfig

■ Ping

■ ARP

■ Nbtstat

■ Route

■ Netstat

■ Tracert

■ Hostname

■ FTP

■ TFTP

■ Telnet

■ RCP

■ RSH

■ Rexec

■ Finger

■ Microsoft Internet Explorer

But before using the tools, I want to spend a moment discussing how to“learn” the variables, command line entries, and switches associated with each tool.

4620-1 ch05.f.qc 10/28/99 12:00 PM Page 161

The next several pages detail each of the suggested TCP/IP tools andutilities you may use in your troubleshooting efforts. Don’t forget that you may “capture” any command line details in Windows 2000 Server by redirecting the screen output to a text file. This is accomplished byappending your command line statement with the pipe or mathematical“greater than” sign (>). Observe:

C:\> dir >foo.txt

This command would direct the directory contents listing to the file foo.txt.That is a file that could easily be read in Notepad or another text editor. Besure to use a filename without spaces when you redirect screen output to a text file. If you took the preceding example and directed the output to the filename “foo one.txt,” it would be stored under Windows 2000 Server as “foo” with no additional attributes such as the “.txt” extension. That’s problematic when you’ve created output with similar names such as“foo.txt” and “foo one.txt.” Later, when you try to open your importantoutput with Notepad or WordPad, the filenames look nearly identical.

Be careful when naming your output files from the command line. Be sure touse contiguous filenames such as “fooone.txt” to distinguish your filenames.Otherwise, as shown in Figure 5-1, the filenames are difficult to separate.

Figure 5-1: Incorrect naming of output files

IPConfigThe IPConfig command line utility provides a baseline view of where yoursystem is with respect to TCP/IP. Host TCP/IP connection parameters areverified, and you may observe whether the TCP/IP configuration has properlyinitialized. It is a good first step to take because it enables us to check theTCP/IP configuration on the computer having the alleged problem.

There are several variations of the IPConfig command. These are implementedas command line switches:


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 162

Windows 2000 IP ConfigurationUSAGE:

ipconfig [/? | /all | /release [adapter] | /renew [adapter] |/flushdns | /registerdns]| /flushdns | /registerdns| /showclassid adapter| /setclassid adapter [classidtoset] ]

adapter Full name or pattern with ‘*’ and ‘?’ to ‘match’,* matches any character, ? matches one character.

Options/? Display this help message./all Display full configuration information./release Release the IP address for the specified adapter./renew Renew the IP address for the specified adapter./flushdns Purges the DNS Resolver cache./registerdns Refreshes all DHCP leases and re-registers DNS

names/displaydns Display the contents of the DNS Resolver Cache.

/showclassid Displays all the dhcp class IDs allowed foradapter.

/setclassid Modifies the dhcp class id.

The default is to display only the IP address, subnet mask and defaultgateway for each adapter bound to TCP/IP. For Release and Renew, if noadapter name is specified, then the IP address leases for all adapters boundto TCP/IP will be released or renewed.

For SetClassID, if no class id is specified, then the class id is removed.

Examples:> ipconfig ... Show information.

> ipconfig /all ... Show detailed information> ipconfig /renew ... renew all adapters> ipconfig /renew EL* ... renew adapters named EL....> ipconfig /release *ELINK?21* ... release all matching

adapters,eg. ELINK-21,myELELINKi21adapter.

The most robust view of IPConfig is with the /all switch. Information for eachphysically bound network adapter card, modem connections, and evenvirtual bindings are displayed:

Windows 2000 IP ConfigurationHost Name . . . . . . . . . : TCI1Primary Domain Name . . . . : Main.localNode Type . . . . . . . . . : BroadcastIP Routing Enabled. . . . . : NoWINS Proxy Enabled. . . . . : NoDNS Suffix Search List. . . : Main.local

Ethernet adapter Local Area Connection:Adapter Domain Name . . . . : DNS Servers . . . . . . . . : 209.20.130.35

209.20.130.33


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 163

Description . . . . . . . . : Intel(R) PRO/100+ PCI AdapterPhysical Address. . . . . . : 00-90-27-78-A9-CCDHCP Enabled. . . . . . . . : NoIP Address. . . . . . . . . : 209.20.232.11Subnet Mask . . . . . . . . : 255.255.255.0Default Gateway . . . . . . : 209.20.232.1Primary WINS Server . . . . : 10.0.0.2

When interpreting this IPConfig output, you can decipher whether a duplicateIP address has been configured. If the subnet mask appears as 0.0.0.0 for aparticular IP address, that indicates that the said address is a duplicate IPaddress. Likewise, if you dynamically assign IP addresses to your network via DHCP, you can determine if your network adapter was unable to obtain an IP address. This is observed when the IP address appears as 0.0.0.0.

Take that last point to heart. Most TCP/IP problems I can recall having on aWindows 2000 network centered on duplicate or unobtainable IP addresses.Hopefully, you can avoid such a fate.

Don’t forget to make use of “|more” when executing the IPConfig command atthe Windows 2000 Server command line. Otherwise, the TCP/IP informationwill rapidly scroll past without stopping, causing you to mis-key TCP/IPconfiguration information. This command is especially critical when the /all switch is used with the IPConfig command and lots and lots of importantTCP/IP configuration information is displayed.

If your system reports appropriate TCP/IP configuration and connectioninformation, such as that displayed previously, proceed to use the pingcommand.

Remember that Windows 95/98 uses the winipcfg command in place ofthe IPConfig command. That distinction is important for both the MCSEcertification exams and working with client and server operating systems in the field.

PingAssuming you’ve successfully executed and interpreted the preceding IPConfigcommand, you’re ready to employ the ping command. Ping is my friend. It’s a low-level command that anyone can execute, and thus it’s a command that I ask clients to try while I’m performing over-the-telephone diagnosis. Theanswer to whether you have ping connectivity is either yes or no.

In layperson’s terms, ping is used to diagnose connection-related failures. Byexecuting the ping command, you can determine whether a particular TCP/IP-based host is available and responding in a non-dysfunctional manner.


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 164

Technically, the ping command is transmitting Internet Control MessageProtocol (ICMP) packets between two TCP/IP-based hosts. Remember thatICMP relates to session management and special communications betweenhosts. With ICMP, messages and errors regarding packet delivery are reported.Great stuff!

The ping command has several command line switches that increase itsfunctionality. These switches, listed here, may be observed by typing ping /?at the command line:

Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS][-r count] [-s count] [[-j host-list] | [-k host-list]][-w timeout] destination-list

Options:-t Ping the specified host until stopped.

To see statistics and continue - type Control-Break;

To stop - type Control-C.-a Resolve addresses to hostnames.-n count Number of echo requests to send.-l size Send buffer size.-f Set Don’t Fragment flag in packet.-i TTL Time To Live.-v TOS Type Of Service.-r count Record route for count hops.-s count Timestamp for count hops.-j host-list Loose source route along host-list.-k host-list Strict source route along host-list.-w timeout Timeout in milliseconds to wait for each reply.

Typing the basic ping command followed by a host IP address results in thefollowing information, which indicates that basic, low-level TCP/IPconnectivity has been established:

Pinging 209.20.232.10 with 32 bytes of data:Reply from 209.20.232.10: bytes=32 time=15ms TTL=128Reply from 209.20.232.10: bytes=32 time=16ms TTL=128Reply from 209.20.232.10: bytes=32 time=16ms TTL=128Reply from 209.20.232.10: bytes=32 time=16ms TTL=128

Ping statistics for 209.20.232.10:Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:Minimum = 15ms, Maximum = 16ms, Average = 15ms

If the host is unreachable, the ping command fails, as shown by

Pinging 10.0.0.5 with 32 bytes of data:Request timed out.Request timed out.Request timed out.


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 165

Ping statistics for 10.0.0.5:Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),

Approximate round trip times in milli-seconds:Minimum = 0ms, Maximum = 0ms, Average = 0ms

For the MCSE exam and other official purposes, follow the traditional six-stepping command food chain and its relationship to IPConfig (see Figure 5-2). I callthis phenomenon of IPConfig and ping working together as being reunited!

Figure 5-2: Six steps to success using the IPConfig and ping commands

STEPS:To use the IPConfig and ping commands

Step 1. Run the IPConfig command on the local workstation and observethe TCP/IP configuration information.

Step 2. Ping the internal loopback address to verify that TCP/IP is installedand configured correctly on the local host computer. This addressis 127.0.0.1, a reserved address that can’t be used as a real IPaddress on a network. See Chapter 9 for more information.

*Ethernet*Ethernet

Windows® 2000 Server204.107.6.200

204.107.7.111Router

204-107.7.112

Router204-107.6.112

Token Ring

Step Three - Ping204.107.6.111

Step Two - Ping127.0.0.1 (Loopback Address)

Step One - Run Ipconfig on the local workstation. Observe TCP/IP configuration information.

Step Six - Ping204.107.7.111

Step Five - Ping204-107.7.112

Step Four - Ping204.107.7.112


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 166

Step 3. Ping the address of the local host computer to ensure that TCP/IPis working correctly. Here we are typically pinging the networkadapter card(s).

Step 4. Ping the IP address of the router or default gateway so that you know and verify that the router or default gateway isfunctioning correctly. This also ensures that you have a functional infrastructure in place to communicate with a local host on the local network or subnet.

Step 5. Ping the distant router across a WAN link if appropriate. This is astep I’ve added to the traditional scenario that you may or may notsee in the MCSE texts or exams. However, this is based on real-worldexperience. Often you can ping a remote router yet are unable toping the desired remote host. That’s because something as simpleas a return route may not be programmed (see the route commanddiscussion later in this chapter).

Step 6. Ping the IP address of the remote host. Success at this stageestablishes that you can communicate through the remote router and that the remote host is functional.

Typically, I use the ping command in bankruptcy law fashion. What do I meanby that? I mean I work backward (remember that in U.S. bankruptcy law, onestarts with Chapter 11 and moves backward to Chapter 7... get it?). So I firstping the remote host (Step 6) and work backward. This approach bettertypifies the real-world need to communicate with another workstation/server/host somewhere. If that doesn’t work, I back up and ultimately try to find the source of failure.

The ping command is a great command for testing your implementation of IPsecurity in Windows 2000 Server. If you’ve correctly implemented IP security,even the ping command will fail between two hosts that are not allowed tospeak with each other. Further discussion on IP security can be found inChapter 13 of this book.

For a really good time, use the ping command to test the Windows Sockets-based name resolution on your network. This is accomplished by pinging a host name. For example, on the Internet, I might ping the domain name of my ISP with the following command:

ping nwlink.com

If I enjoy successful replies, then I know there is no problem with addressresolution or the network connection. However, if the ping command using a host name isn’t successful but the ping command using the IP address is,then I know that I only have an address resolution problem, not a networkconnection problem.


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 167

A few general steps to consider when the ping command doesn’t workinclude the following:

■ Reboot the computer after TCP/IP was installed or modified (see mycomments earlier under “Always reboot” in the “TCP/IP TroubleshootingBasics” section).

■ Check that the local host’s address is valid as displayed in the InternetProtocol (TCP/IP) Properties tab sheet under Local Area ConnectionProperties, found under Network and Dial-up Connections, if it is a static IP address (see Figure 5-3).

■ If necessary, make sure Windows 2000 Server-based routing isoperational and a link exists between routers. In other words, perhapsyou’re having a telephone company-related communications problem.

Figure 5-3: Verifying the host static IP address

ARPThe Address Resolution Protocol (ARP) cache is composed of both dynamicand static addresses. In reality, ARP is used several ways, but fundamentally,ARP maps an IP address to a hardware address. This role is defined in RFC 826.The hardware address is the Media Access Control (MAC), or physical address.This hardware address can best be obtained by viewing the “Physical Address”entry returned by the IPConfig command.


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 168

Other ways to obtain physical hardware addresses include using the installutility on the driver disk that comes with your network adapter card ortrapping packets with Network Monitor. The former approach is good forworkstations that might be running IPX/SPX or NetBEUI, and the latter isgood for non-mainstream workstation implementations in a Windows 2000Server environment such as Macintosh clients. See Chapters 19 and 21 forfurther discussions of these techniques.

The bottom line on network communications is that hosts must ultimatelyknow each other’s physical addresses to communicate on a network. Address resolution via ARP is the act of converting the host’s IP address to its physical address. In that context, ARP is responsible for gathering the hardware addresses on broadcast-based networks. When operating in a dynamic discovery mode, this is accomplished by ARP issuing a localbroadcast of the remote IP address to discover the physical address of the remote host. Having obtained the physical address, it adds it to the ARP cache. In fact, for a given host, both the IP address and the physicaladdress are stored as one entry in the ARP table, for example:

Interface: 10.0.0.2 on Interface 0x2Internet Address Physical Address Type10.0.0.3 00-aa-62-c6-08-00 static

Interface: 131.107.6.171 on Interface 0x3Internet Address Physical Address Type131.107.6.88 00-60-97-ba-f1-25 static

The ARP cache is always read for an IP-physical address mapping before any ARP-related request broadcasts are initiated. Dynamic ARP table entriesare maintained for ten minutes. This ensures the freshest ARP resolutioninformation at all times. Static ARP table entries are maintained until themachine is rebooted. Remember that caching enables ARP to operate effici-ently. If you did not have any ARP caching, your network would have far toomany ARP-type broadcasts travelling to resolve IP addresses to physicaladdresses (as shown in Figure 5-4). Not a wise way to manage a network.

ARP broadcasts appear as shown in Figure 5-4 when viewed by NetworkMonitor.

Remember that Windows 2000 Server makes heavy use of address caching inits TCP/IP implementation. That’s a helpful hint to keep in mind when thingsaren’t going smoothly and you decided to reboot the server to refresh theaddress cache.

So how does ARP resolve an IP address? Before I discuss the steps thatARP undertakes, remember that the IP addresses for any two hosts mustbe “resolved” before a communications session may be established.


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 169

Figure 5-4: ARP broadcasting

1. Any time one host tries to communicate with another, an ARP request is initiated. An example of such a communication would be the pingcommand. If the IP address to physical address entry exists in the local table, then the address is resolved. End of story.

2. However, if no entry exists in the ARP table that resolves the IP addressto a physical address, ARP starts asking questions in the form of abroadcast packet (such as the packet traffic displayed in Figure 5-4).

3. Every host on the local network evaluates the broadcast and determineswhether the IP address in the ARP packet is the same as its IP address.

4. When a match is found, the destination host sends an ARP reply packetback to the source host. Again, this is akin to the traffic shown in Figure 5-4.

5. Routers in scenarios that span multiple subnets participate in ARP-related events in the following manner (also outlined in Figure 5-5): The ARP broadcast is forwarded to the default gateway for evaluation.The ARP broadcast packet is forwarded yet again to a remote router if necessary. Once a session is established with the remote router, the source host sends the ICMP-based request (such as a ping) to theremote router. The remote router resolves the request by sending the ping command to the destination host.


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 170

Figure 5-5: An ARP broadcasting scenario

Common ARP-related problemsTwo common problem areas are associated with ARP. First is the problem ofduplicate addresses. ARP operates on the FIFO principle. That means ARP tableentries are made on a first-come, first-served basis. Thus it is possible that ifduplicate IP addresses accidentally exist on the network, the wrong IP-basedhost may reply and cause an incorrect IP address-physical address entry to beadded to the ARP table. The ARP case study that follows incorporates elementsof this ARP problem.

Second, broadcast storms strike when subnet masks are invalid and countlessARP broadcasts looking for a host are sent in vain on the network. In essence,the numerous broadcast packets being sent are the storm. You and your usersknow the outcome as decreased network performance.

*Ethernet*Ethernet

Host A204.107.6.111

Host B204.107.6.110

Host C204.107.6.109

IBM Compatible

ARPARPPacketPacket

Router204-107.6.112

Router204-107.6.112

1: Host wants to "ping" Host C.No entries for Host C exist in the ARP table for Host A.

3: ARP broadcast packet is evaluated by Host B and forwarded

2: ARP broadcast packet is sent.

5: ARP broadcast handled by routers when multiple subnets are involved.

4: Match is made.Host C returnsARP reply packet.

ARPPacket


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 171

ARP case studyThis is the case of the naughty ISDN router. Malcontent as it was, this ISDNrouter at the headquarters of an athletic club chain was incorrectly causingduplicate IP address errors on the network irrespective of the IP addresseswe assigned to the hosts. We’d receive “duplicate IP address” errors at the Windows 95 workstation, whether we assigned the IP address to theworkstation dynamically or statically. What gives, we pondered? We wereonly dealing with two dozen or so workstations that, by all accounts, didn’thave duplicate IP addresses.

Finally, a breakthrough arrived. Using the ARP command, we were able to trace the “bogus” IP address (and there were a bunch of ‘em) back to the ISDN router’s MAC address. In short, one MAC address was mapped to several IP addresses. Whenever a Windows 95 workstation attempted to acquire what should have been a valid IP address, it of course got theduplicate IP address error. ARP bailed us out that day and got us a new,correctly functioning router for the athletic club.

Microsoft’s position on ARPMicrosoft’s position on TCP/IP troubleshooting is this: After running IPConfigand ping, you should then test IP-to-MAC address resolution using ARP. Thebottom line? If two hosts can’t ping each other, try running ARP commands to see if the host computers have the correct MAC addresses.

NbtstatOne of the apparent dilemmas in a Microsoft Windows 2000 environmentis the resolution of NetBIOS names to IP addresses. This is handled severalways, including Dynamic DNS, WINS server queries, local cache resolution,broadcasts, and LMHOSTS and HOSTS lookup. If you want to drop under the hood, you have the nbtstat command. In addition to acting as a nameresolution troubleshooting tool, it enables you to correct or removepreloaded name entries.

Options for the nbtstat command are as follows:

NBTSTAT [ [-a RemoteName] [-A IP address] [-c] [-n][-r] [-R] [-RR] [-s] [-S] [interval] ]

-a (adapter status) Lists the remote machine’s name table given its name

-A (Adapter status) Lists the remote machine’s name tablegiven its IP address.

-c (cache) Lists NBT’s cache of remote[machine]names and their IP addresses

-n (names) Lists local NetBIOS names. That is,names are displayed that were registered locally on the system by the server and redirector services.

-r (resolved) Lists names resolved by broadcast andvia WINS

-R (Reload) Purges and reloads the remote cache


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 172

name table (LMHOSTS)-S (Sessions) Lists sessions table with the

destination IP addresses-s (sessions) Lists sessions table converting

destination IP addresses to computer NETBIOS names.

-RR (ReleaseRefresh) Sends Name Release packets to WINs and then, starts Refresh

RemoteName Remote host machine name.IP address Dotted decimal representation of the

IP address.interval Redisplays selected statistics,

pausing interval secondsbetween each display. Press Ctrl+C to stop redisplaying statistics.

In the following nbtstat example, I run the command with the -S switch to listthe current NetBIOS sessions, complete with status and statistics:

Local Area Connection:Node IpAddress: [10.0.0.2] Scope Id: []

NetBIOS Connection TableLocal Name State In/Out Remote Host Input Output

SECRETS2 <03> ListeningADMINISTRATOR <03> Listening

A trick you may use to ensure that you’re using a fresh local name cache isthe nbtstat -r command. This command updates the local name cacheimmediately from such sources as the LMHOSTS file.

RouteThe route command is discussed extensively in Chapter 5 in the context of IPgateways. However, a quick review is in order. Using the route command, youmay view or modify the route table. The route table lists all current IP routesseen by the host. This includes routes that Windows 2000 Server createsautomatically and routes learned by running the router information protocol(RIP). Common options for the route command are shown in Table 5-2.

Table 5-2 Common Options for the Route Command

Command Function

Route print Displays all current IP routes known by the host.

Route add Used to add persistent and nonpersistent routes to the table. It is necessaryto use the -p command line option with route add to create a persistentroute. Otherwise, the route is lost when the machine is rebooted.

Route delete Deletes routes from the table.


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 173

NetstatThis command displays the current TCP/IP connections and protocolstatistics. Options for the netstat command include the following:

NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]-a Displays all connections and listening ports.-e Displays Ethernet statistics. This may

be combined with the -s option. -n Displays addresses and port numbers

in numerical form.-p proto Shows connections for the protocol

specified by proto; protomay be TCP or UDP. If used withthe -s option to displayper-protocol statistics, proto maybe TCP, UDP, or IP.

-r Displays the routing table.-s Displays per-protocol statistics.

By default, statistics areshown for TCP, UDP and IP; the -p option maybe used to specifya subset of the default.

interval Redisplays selected statistics, pausinginterval seconds between each display. PressCTRL+C to stop redisplayingstatistics. If omitted, netstat will print the current configuration information once.

Here is sample output from the netstat command using both the -e (Ethernetstatistics), -a (all connections and listening ports), -r (route table), and -s(per-protocol statistics) command line options:

netstat -e:

Interface StatisticsReceived Sent

Bytes 291244 107280Unicast packets 0 0Non-unicast packets 1509 758Discards 0 0Errors 0 0Unknown protocols 1128

netstat -a:

Active ConnectionsProto Local Address Foreign Address StateTCP SECRETS2:echo SECRETS2:0 LISTENINGTCP SECRETS2:discard SECRETS2:0 LISTENINGTCP SECRETS2:daytime SECRETS2:0 LISTENINGTCP SECRETS2:qotd SECRETS2:0 LISTENINGTCP SECRETS2:chargen SECRETS2:0 LISTENING


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 174

TCP SECRETS2:ftp SECRETS2:0 LISTENINGTCP SECRETS2:name SECRETS2:0 LISTENINGTCP SECRETS2:domain SECRETS2:0 LISTENINGTCP SECRETS2:80 SECRETS2:0 LISTENINGTCP SECRETS2:135 SECRETS2:0 LISTENINGTCP SECRETS2:443 SECRETS2:0 LISTENINGTCP SECRETS2:445 SECRETS2:0 LISTENINGTCP SECRETS2:printer SECRETS2:0 LISTENINGTCP SECRETS2:548 SECRETS2:0 LISTENINGTCP SECRETS2:1025 SECRETS2:0 LISTENINGTCP SECRETS2:1026 SECRETS2:0 LISTENINGTCP SECRETS2:1028 SECRETS2:0 LISTENINGTCP SECRETS2:1031 SECRETS2:0 LISTENINGTCP SECRETS2:1034 SECRETS2:0 LISTENINGTCP SECRETS2:1035 SECRETS2:0 LISTENINGTCP SECRETS2:3389 SECRETS2:0 LISTENINGTCP SECRETS2:5162 SECRETS2:0 LISTENINGTCP SECRETS2:nbsession SECRETS2:0 LISTENINGTCP SECRETS2:1027 SECRETS2:0 LISTENINGTCP SECRETS2:nbsession SECRETS2:0 LISTENINGUDP SECRETS2:echo *:*UDP SECRETS2:discard *:*UDP SECRETS2:daytime *:*UDP SECRETS2:qotd *:*UDP SECRETS2:chargen *:*UDP SECRETS2:name *:*UDP SECRETS2:135 *:*UDP SECRETS2:snmp *:*UDP SECRETS2:445 *:*UDP SECRETS2:1030 *:*UDP SECRETS2:1032 *:*UDP SECRETS2:1033 *:*UDP SECRETS2:9987 *:*UDP SECRETS2:domain *:*UDP SECRETS2:bootp *:*UDP SECRETS2:68 *:*UDP SECRETS2:nbname *:*UDP SECRETS2:nbdatagram *:*UDP SECRETS2:1029 *:*UDP SECRETS2:domain *:*UDP SECRETS2:bootp *:*UDP SECRETS2:68 *:*UDP SECRETS2:nbname *:*UDP SECRETS2:nbdatagram *:*

netstat -r

===================================================================Interface List0x1 ........................... MS TCP Loopback interface0x2 ...00 60 08 3a 04 cb ...... 3Com 3C90x Ethernet Adapter0x3 ...00 60 97 bf a1 23 ...... ELNK3 Ethernet Adapter0x4 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface0x5 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 175

0x6 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface0x7 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface======================================================================================================================================Active Routes:Network Destination Netmask Gateway Interface Metric

10.0.0.0 255.0.0.0 10.0.0.2 10.0.0.2 110.0.0.2 255.255.255.255 127.0.0.1 127.0.0.1 1

10.255.255.255 255.255.255.255 10.0.0.2 10.0.0.2 1127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

131.107.6.0 255.255.255.0 131.107.6.171 131.107.6.171 1131.107.6.171 255.255.255.255 127.0.0.1 127.0.0.1 1

131.107.255.255 255.255.255.255 131.107.6.171 131.107.6.171 1224.0.0.0 224.0.0.0 10.0.0.2 10.0.0.2 1224.0.0.0 224.0.0.0 131.107.6.171 131.107.6.171 1

255.255.255.255 255.255.255.255 10.0.0.2 10.0.0.2 1===================================================================Route TableActive ConnectionsProto Local Address Foreign Address State

netstat -s:

IP StatisticsPackets Received = 1646Received Header Errors = 0Received Address Errors = 685Datagrams Forwarded = 0Unknown Protocols Received = 0Received Packets Discarded = 0Received Packets Delivered = 997Output Requests = 748Routing Discards = 0Discarded Output Packets = 0Output Packet No Route = 0Reassembly Required = 0Reassembly Successful = 0Reassembly Failures = 0Datagrams Successfully Fragmented = 0Datagrams Failing Fragmentation = 0Fragments Created = 0

ICMP StatisticsReceived Sent

Messages 12 6Errors 0 0Destination Unreachable 0 0Time Exceeded 0 0Parameter Problems 0 0Source Quenchs 0 0Redirects 0 0Echos 0 0Echo Replies 0 0Timestamps 0 0Timestamp Replies 0 0


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 176

Address Masks 0 0Address Mask Replies 0 0

TCP StatisticsActive Opens = 0Passive Opens = 0Failed Connection Attempts = 0Reset Connections = 0Current Connections = 0Segments Received = 0Segments Sent = 0Segments Retransmitted = 0

UDP StatisticsDatagrams Received = 963No Ports = 34Receive Errors = 0Datagrams Sent = 729

TracertA route tracing utility, tracert utilizes the IP TTL field and ICMP error messagesto discover host-to-host routes through the network. Options for the tracertcommand include the following:

Usage: tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout]target_nameOptions:

-d Do not resolve addresses to hostnames.-h maximum_hops Maximum number of hops to search for target.-j host-list Loose source route along host-list.-w timeout Wait timeout milliseconds for each reply.

Here is sample output from the tracert command:

Tracing route to SECRETS2 [131.107.6.171]over a maximum of 30 hops:1 <10 ms <10 ms <10 ms SECRETS2 [131.107.6.171]

Trace complete.

HostnameThis is a very simple but useful command. It returns the NetBIOS computername for the machine on which the command was executed.

The hostname command is a quick and dirty way to find out (or remember!)which machine you are working on. This command line utility eliminates theneed to find similar information via the MMC. It’s a favorite command of minein part because of its simplicity.

The hostname command and its output appear as

C:\>hostnameSECRETS2

where SECRETS2 is the actual host name.


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 177

You may not change the host name via the hostname command. The -s optionis not supported in Windows 2000 Server. You must use the Network applet inControl Panel to change the host name, followed by a reboot.

FTPThis command remains very popular with Windows 2000 Server users. Thisis an important point because other TCP/IP processes from the same era(such as Gopher) have declined. Using Port 21, FTP is the basic command fortransferring information from one Internet host to another. There are several“variations” of this command, two of which I will show you — the commandline method and the Internet Explorer method. First, there is the commandline version contained within Windows 2000 Server, which provides verybasic, character-based two-way file transfer capabilities. Here is sampleoutput with the FTP command using the fully qualified domain name:

C:\>ftp secrets2Connect to SECRETS2.220 SECRETS2 Microsoft FTP Service (Version 5.0)User (SECRETS2:(none)): anonymous331 Anonymous access allowed, send identity (e-mail name) as password.Password:230 Anonymous user logged in.ftp>

Note that this session could have been initiated by using the IP address for SECRETS2 (for example, 10.0.0.2).

The return codes listed in the preceding FTP session, along with all of theother FTP return codes, may be found at http://andrew2.andrew._cmu.edu/rfc/rfc640.html.

Table 5-3 shows the commands that may be used during an FTP session suchas the one just displayed. Note these commands are listed by typing “?” atthe FTP prompt. You will note that most of these commands openly revealtheir UNIX heritage.

Table 5-3 Commands for Use in an FTP Session

! debug ls put status

? dir mdelete pwd trace

append disconnect mdir quit type

ascii get mget quote user

bell glob mkdir recv verbose

bye hash mls remotehelp

cd help mput rename


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 178

close lcd open rmdir

delete literal prompt send

Table 5-4 provides explanations of the more common FTP commands.

Table 5-4 Common FTP Commands

Command Description

! Spawns an MS-DOS shell, but FTP remains active. Typing exit returnsthe user to the FTP prompt.

!command Executes an MS-DOS command inside the FTP session on the local computer.

Bye Terminates or ends the FTP session.

Delete With appropriate permissions, files are deleted on the remote computer.

Dir Lists the remote directory’s files and subdirectories.

Get Copies a file to the local computer from a remote computer.

Help Displays FTP command descriptions.

Put Copies files from the local computer to the remote computer.

Mkdir With appropriate permissions, enables you to create a directory on aremote computer.

The key to using the command-line FTP command in Windows 2000 Serveris that the host you are “FTP-ing” to will accept your request and initiate a session. FTP management is configured via the FTP service in MicrosoftInternet Information Server (IIS), which is included with Windows 2000Server. Note that changing the default TCP port value used by FTP is oneway to create a more secure FTP server site. Both hosts must agree to usethe same TCP port value to initiate a session. Using a non-default TCP portcan thwart intruders.

Also, consider how you might really use this tool. Basically, I’ve used FTP for low-level file transfers when I don’t have an NFS-based solution tocommunicate with true UNIX hosts and Windows 2000 Server. Specifically, I once used FTP to transfer files from Sun workstations to a Windows 2000Server for storage and printing. The FTP service in Microsoft InternetInformation Server (IIS) is shown in Figure 5-6.


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 179

Figure 5-6: Managing the FTP service via the Internet Information Server application

TFTPOperating on Port 69 by default, Trivial File Transfer Protocol is a variation of FTP that is used to transfer files to and from a remote computer. I’ve usedTFTP to transfer files from a Windows 2000 Server machine to a Cisco router.Whatever works! Here are the TFTP commands available to you:

TFTP [-i] host [GET | PUT] source [destination]-i Specifies binary image transfer mode (also called

octet). In binary image mode the file is movedliterally, byte by byte. Use this mode whentransferring binary files.

host Specifies the local or remote host.GET Transfers the file destination on the remote host to

the file source on the local host.PUT Transfers the file source on the local host to

the file destination on the remote host.source Specifies the file to transfer.destination Specifies where to transfer the file.


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 180

TelnetTelnet is of course a basic terminal emulation feature that enables you toestablish a terminal-mode session with another host. You might, for instance,use Telnet to establish a session with your Windows 2000 Server over theInternet. Another valid use is programming a router, either internally orexternally, via the Internet.

When executing the Telnet command, you may save an extra step byappending the Telnet command with the IP address or host name of theserver you intend to log on to. Such a command would appear as:

C:> telnet nwlink.com

Note that nwlink.com is the host name.

Telnet is used each and every day. Honest. When I’m at a remote site that isconnected to the Internet, I like to Telnet back to my ISP to check my e-mail.Such a session involves issuing the Telnet command with the fully qualifieddomain name of my ISP and then launching pine, a character-based e-mailprogram that is hosted by my ISP (see Figures 5-7 and 5-8).

Figure 5-7: Using the Telnet utility to access an ISP from a remote location


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 181

Figure 5-8: Remote access of e-mail via Telnet and other e-mail applications

Because Windows 2000 Server doesn’t natively support the whois command,you should use the following trick to add this powerful command to yourarsenal. Telnet to a bonafide UNIX server on the Internet. Your ISP should be your first choice. Next, issue the whois command at the UNIX commandprompt as described next.

Why use the whois command? To spy on thy Internet neighbor, of course!Just kidding, but the whois command enables you to see who sent that junkmail by performing the whois command against the e-mail’s Internet domainname to the right of the “@” symbol. More important, ISP customer servicereps and perhaps you can use the whois command (see Figure 5-9) to see if a specific Internet domain name has been taken already (a.k.a. “registered”).At a minimum, the whois command returns important Internet domainregistration information (see Figure 5-10). Note the whois command applies only to second-level (such as idgbooks.com), not third-level(springers._nwnexus.com) domain names.

Note that in Windows 2000 Server, the Telnet screen with its limited size requires two screens to display the full Internet domain nameregistration information.


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 182

Figure 5-9: The whois command at the UNIX command prompt

Figure 5-10: Valuable Internet domain name registration information


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 183

RCPThe Remote Copy Protocol (RCP) enables you to copy files between TCP/IP-based hosts. Settings for this command include

RCP [-a | -b] [-h] [-r] [host][.user:]source [host][.user:]path\destination-a Specifies ASCII transfer mode. This mode converts

the EOL characters to a carriage return for UNIXand a carriagereturn/line feed for personal computers. This isthe default transfer mode.

-b Specifies binary image transfer mode.-h Transfers hidden files.-r Copies the contents of all subdirectories;

destination must be a directory.host Specifies the local or remote host. If host is

specified as an IP address OR if host namecontains

dots, you must specify the user..user: Specifies a user name to use, rather than the

current user name.source Specifies the files to copy.path\destination Specifies the path relative to the logon

directoryon the remote host. Use the escape characters(\ , “, or ‘) in remote paths to use wildcardcharacters on the remote host.

RSHThis command launches a remote shell on a UNIX host. Settings for thiscommand include the following:

RSH host [-l username] [-n] commandhost Specifies the remote host on which to run command.-l username Specifies the user name to use on the remote host.

Ifomitted, the logged on user name is used.

-n Redirects the input of RSH to NULL.command Specifies the command to run.

RexecThis command enables you to run commands on remote hosts running the rexec service. Rexec authenticates the user name on the remote hostbefore executing the specified command. Settings for this command includethe following:

REXEC host [-l username] [-n] commandhost Specifies the remote host on which to run command.


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 184

-l username Specifies the user name on the remote host.-n Redirects the input of REXEC to NULL.command Specifies the command to run.

FingerThis command displays information about a user on a specified systemrunning the Finger service. Output varies based on the remote system.Settings for this command include the following:

FINGER [-l] [user]@host [...]-l Displays information in long list format.user Specifies the user you want information about. Omit the

userparameter to display information about all users on thespecified host.

@host Specifies the server on the remote system whose users youwant information about.

Microsoft Internet ExplorerEven though I have touted the benefits of a robust Internet browser such asInternet Explorer (IE) several times in this book, it’s worth repeating here. The“official” Microsoft party line is that IE is very much a troubleshooting tool forthe TCP/IP protocol in Windows 2000 Server. That’s because IE increasinglysupports TCP/IP protocol suite utilities such as FTP. This is a capability beyondthe original browser, which basically has Hypertext Transfer Protocol (HTTP)support. In reality, I use IE every day to go up on the Internet and downloadresources to optimize my Windows 2000 Server installations.

Other TCP/IP Troubleshooting AnglesHaving reviewed the primary utilities that ship as part of the TCP/IP protocolsuite in Windows 2000 Server, let’s explore a few other time-tested TCP/IPtroubleshooting tricks.

Troubleshooting TCP/IP database filesThis section is written for the MCSE candidate in mind. In the real world, youand I rely on the GUI-interface presentation of TCP/IP information in Windows2000 Server. However, whether you’re an old-timer in the industry or you’retrying to pass the demanding TCP/IP exams on the MCSE tracks, the filesshown in Table 5-5 contain critical TCP/IP information. Everyone else canbenefit by observing the file descriptions and contents.


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 185

Table 5-5 Windows 2000 Server UNIX-style Database Files

File Name Description

HOSTS Provides host name-to-IP address resolution for applications that areWindows Sockets-compliant.

LMHOSTS Provides NetBIOS name-to-IP address resolution for Windows-basednetworking.

Networks Provides network name-to-network ID resolution for TCP/IP management.

Protocol Provides protocol name-to-protocol ID resolution for Windows Sockets applications.

Services Provides service name-to-port ID resolution for Windows Sockets applications.

Sample output from the HOSTS file contained at\%systemroot%\system32\drivers\etc is as follows:

# Copyright (c) 1993-1999 Microsoft Corp.## This is a sample HOSTS file used by Microsoft TCP/IP for Windows.## This file contains the mappings of IP addresses to host names. Each# entry should be kept on an individual line. The IP address should# be placed in the first column followed by the corresponding hostname.# The IP address and the host name should be separated by at least one# space.## Additionally, comments (such as these) may be inserted on individual# lines or following the machine name denoted by a ‘#’ symbol.## For example:## 102.54.94.97 rhino.acme.com # source server# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

Sample output from the LMHOSTS (lmhosts.sam) file contained at\%systemroot% \system32\drivers\etc is as follows:

# Copyright (c) 1993-1999 Microsoft Corp.## This is a sample LMHOSTS file used by the Microsoft TCP/IP forWindows.## This file contains the mappings of IP addresses to computernames# (NetBIOS) names. Each entry should be kept on an individual line.# The IP address should be placed in the first column followed by the# corresponding computername. The address and the computername# should be separated by at least one space or tab. The “#” character


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 186

# is generally used to denote the start of a comment (see theexceptions# below).## This file is compatible with Microsoft LAN Manager 2.x TCP/IPlmhosts# files and offers the following extensions:## #PRE# #DOM:<domain># #INCLUDE <filename># #BEGIN_ALTERNATE# #END_ALTERNATE# \0xnn (non-printing character support)## Following any entry in the file with the characters “#PRE” willcause# the entry to be preloaded into the name cache. By default, entriesare# not preloaded, but are parsed only after dynamic name resolutionfails.## Following an entry with the “#DOM:<domain>” tag will associate the# entry with the domain specified by <domain>. This affects how the# browser and logon services behave in TCP/IP environments. To preload# the host name associated with #DOM entry, it is necessary to alsoadd a# #PRE to the line. The <domain> is always preloaded although it willnot# be shown when the name cache is viewed.## Specifying “#INCLUDE <filename>” will force the RFC NetBIOS (NBT)# software to seek the specified <filename> and parse it as if it were# local. <filename> is generally a UNC-based name, allowing a# centralized lmhosts file to be maintained on a server.# It is ALWAYS necessary to provide a mapping for the IP address ofthe# server prior to the #INCLUDE. This mapping must use the #PREdirective.# In addition the share “public” in the example below must be in the# LanManServer list of “NullSessionShares” in order for clientmachines to# be able to read the lmhosts file successfully. This key is under#\machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares# in the registry. Simply add “public” to the list found there.## The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE# statements to be grouped together. Any single successful include# will cause the group to succeed.## Finally, non-printing characters can be embedded in mappings by# first surrounding the NetBIOS name in quotations, then using the# \0xnn notation to specify a hex value for a non-printing character.


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 187

## The following example illustrates all of these extensions:## 102.54.94.97 rhino #PRE #DOM:networking #net group’s DC# 102.54.94.102 “appname \0x14” #special app server# 102.54.94.123 popular #PRE #source server# 102.54.94.117 localsrv #PRE #needed for the include## #BEGIN_ALTERNATE# #INCLUDE \\localsrv\public\lmhosts# #INCLUDE \\rhino\public\lmhosts# #END_ALTERNATE## In the above example, the “appname” server contains a special# character in its name, the “popular” and “localsrv” # server names are# preloaded, and the “rhino” server name is specified so # it can be used# to later #INCLUDE a centrally maintained lmhosts file # if the “localsrv”# system is unavailable.## Note that the whole file is parsed including comments # on each lookup,# so keeping the number of comments to a minimum will # improve performance.# Therefore it is not advisable to simply add lmhosts file # entries onto the# end of this file.

I’ve highlighted in bold the two most valuable lines from this sample file. First,the line 102.54.94.97 rhino #PRE #DOM:networking is an entry type that I’veused to solve pesky resolution problems. Sometimes preloading the entry (the#PRE statement) and forcing a domain name for the host (#DOM) will solvenasty timeout conditions over slow WAN links. Been there, done that.

The other interesting entry is the 102.54.94.102 “appname \0x14” line. Whatis occurring here, in English, is that the full 15 positions of the host name arebeing filled out or padded. This is necessary in some resolution scenarios.Most likely you will be working with Microsoft Technical Support when youget to the point at which this becomes necessary. As stated in the precedingsample file, the \0x14 represents nonprinting characters.

In fact, one time that I can recall where I worked extensively with theLMHOSTS file was when I was troubleshooting the dickens out of a MicrosoftExchange performance problem across two domains. Upon reflection yearslater, I now see that this was an exercise in using TPC/IP tools to troubleshootan integration problem between a Microsoft BackOffice component and the underlying Windows NT Server operating system. Such lofty insights,garnered from bumps, bruises, and general maturity with Windows NTServer, have made me a more effective network professional. I’m sure you will enjoy the same positive results from ascending both the Windows 2000Server and TCP/IP learning curves.


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 188

If you want to convert the lmhosts.sam file from being a sample file to actingas your real lmhosts file, you will need to remove the .sam file extension.

Sample output from the Networks file contained at \%systemroot%\system32\drivers\etc is as follows:

# Copyright (c) 1993-1999 Microsoft Corp.## This file contains network name/network number mappings for # local networks. Network numbers are recognized in dotted # decimal form.## Format:## <network name> <network number> [aliases...] [#<comment>]## For example:## loopback 127# campus 284.122.107# london 284.122.108

loopback 127

Sample output from the Protocol file contained at \%systemroot%\system32\drivers\etc is as follows:

# Copyright (c) 1993-1999 Microsoft Corp.## This file contains the Internet protocols as defined by RFC 1700# (Assigned Numbers). ## Format:## <protocol name> <assigned number> [aliases...] [#<comment>]

ip 0 IP # Internet protocolicmp 1 ICMP # Internet control message protocolggp 3 GGP # Gateway-gateway protocoltcp 6 TCP # Transmission control protocolegp 8 EGP # Exterior gateway protocolpup 12 PUP # PARC universal packet protocoludp 17 UDP # User datagram protocolhmp 20 HMP # Host monitoring protocolxns-idp 22 XNS-IDP # Xerox NS IDPrdp 27 RDP # “reliable datagram” protocolrvd 66 RVD # MIT remote virtual disk

Sample output from the Services file contained at \%systemroot%\system32\drivers\etc is as follows:

# Copyright (c) 1993-1999 Microsoft Corp.## This file contains port numbers for well-known services # as defined by# RFC 1700 (Assigned Numbers).


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 189

## Format:## <service name> <port number>/<protocol> # [aliases...] [#<comment>]#

echo 7/tcpecho 7/udpdiscard 9/tcp sink nulldiscard 9/udp sink nullsystat 11/tcp users #Active userssystat 11/tcp users #Active usersdaytime 13/tcpdaytime 13/udpqotd 17/tcp quote #Quote of the dayqotd 17/udp quote #Quote of the daychargen 19/tcp ttytst source #Charactergeneratorchargen 19/udp ttytst source #Character

generatorftp-data 20/tcp #FTP, dataftp 21/tcp #FTP. controltelnet 23/tcpsmtp 25/tcp mail #Simple Mail

TransferProtocol

time 37/tcp timservertime 37/udp timserverrlp 39/udp resource #Resource

LocationProtocol

nameserver 42/tcp name #Host Name Servernameserver 42/udp name #Host Name Servernicname 43/tcp whoisdomain 53/tcp #Domain Name

Serverdomain 53/udp #Domain Name

Serverbootps 67/udp dhcps #Bootstrap

Protocol Serverbootpc 68/udp dhcpc #Bootstrap

Protocol Clienttftp 69/udp #Trivial File

Transfergopher 70/tcpfinger 79/tcphttp 80/tcp www www-http #World Wide Webkerberos-sec 88/tcp krb5 #Kerberoskerberos-sec 88/udp krb5 #Kerberoshostname 101/tcp hostnames #NIC Host

Name Serveriso-tsap 102/tcp #ISO-TSAP Class 0rtelnet 107/tcp #Remote Telnet

Servicepop2 109/tcp postoffice #Post Office


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 190

Protocol – Version 2

pop3 110/tcp #Post OfficeProtocol – Version 3

sunrpc 111/tcp rpcbind portmap #SUN Remote Procedure Call

sunrpc 111/udp rpcbind portmap #SUN Remote Procedure Call

auth 113/tcp ident tap #Identification Protocol

uucp-path 117/tcpnntp 119/tcp usenet #Network News

Transfer Protocol

ntp 123/udp #Network TimeProtocol

epmap 135/tcp loc-srv #DCE endpointresolution

epmap 135/udp loc-srv #DCE endpointresolution

netbios-ns 137/tcp nbname #NETBIOS NameService

netbios-ns 137/udp nbname #NETBIOS NameService

netbios-dgm 138/udp nbdatagram #NETBIOS DatagramService

netbios-ssn 139/tcp nbsession #NETBIOS SessionService

imap 143/tcp imap4 #Internet MessageAccess Protocol

pcmail-srv 158/tcp #PCMail Serversnmp 161/udp #SNMPsnmptrap 162/udp snmp-trap #SNMP trapprint-srv 170/tcp #Network

PostScriptbgp 179/tcp #Border Gateway

Protocolirc 194/tcp #Internet Relay

Chat Protocolipx 213/udp #IPX over IPldap 389/tcp #Lightweight

Directory AccessProtocol

https 443/tcp MComhttps 443/udp MCommicrosoft-ds 445/tcpmicrosoft-ds 445/udp#? kpasswd 464/tcp # Kerberos (v5)#? kpasswd 464/udp # Kerberos (v5)isakmp 500/udp ike #Internet Key

Exchangeexec 512/tcp #Remote Process

Executionbiff 512/udp comsatlogin 513/tcp #Remote Login


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 191

who 513/udp whodcmd 514/tcp shellsyslog 514/udpprinter 515/tcp spoolertalk 517/udpntalk 518/udpefs 520/tcp #Extended File

Name Serverrouter 520/udp route routedtimed 525/udp timeservertempo 526/tcp newdatecourier 530/tcp rpcconference 531/tcp chatnetnews 532/tcp readnewsnetwall 533/udp #For emergency

broadcastsuucp 540/tcp uucpdklogin 543/tcp #Kerberoskshell 544/tcp krcmd #Kerberos remote

shellnew-rwho 550/udp new-whoremotefs 556/tcp rfs rfs_serverrmonitor 560/udp rmonitordmonitor 561/udpldaps 636/tcp sldap #LDAP over

TLS/SSLdoom 666/tcp #Doom Id Softwaredoom 666/udp #Doom Id Softwarekerberos-adm 749/tcp #Kerberos

administrationkerberos-adm 749/udp #Kerberos

administrationkpop 1109/tcp #Kerberos POPphone 1167/udp #Conference

callingms-sql-s 1433/tcp #Microsoft-SQL-

Server ms-sql-s 1433/udp #Microsoft-SQL-

Server ms-sql-m 1434/tcp #Microsoft-SQL-

Monitorms-sql-m 1434/udp #Microsoft-SQL-

Monitor wins 1512/tcp #Microsoft

Windows Internet Name Service

wins 1512/udp #Microsoft Windows Internet Name Service

ingreslock 1524/tcp ingresl2tp 1701/udp #Layer Two

Tunneling Protocol

pptp 1723/tcp #Point-to-point tunnelling protocol


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 192

radius 1812/udp #RADIUS authentication protocol

radacct 1813/udp #RADIUS accounting protocol

nfsd 2049/udp nfs #NFS serverknetd 2053/tcp #Kerberos

de-multiplexorttcp 5001/tcp #TTCPttcp 5001/udp #TTCPman 9535/tcp #Remote Man

Server

Reinstalling TCP/IPClearly one trick that is always available is to uninstall and reinstall theTCP/IP protocol suite in Windows 2000 Server. I mentioned previously thatthe Microsoft TCP/IP protocol stack is a weaker stack, and unfortunately thisholds true in the heat of battle on occasion (and it always seems to be at theenterprise level, not at my home basement lab!).

So let’s assume that you’ve tried just about every TCP/IP troubleshootingapproach mentioned in this chapter and nothing, absolutely nothing, is solvingyour problem. Time for drastic action. Simply stated, remove and reinstall theTCP/IP protocol stack. Correctly done, this approach will work wonders.

But of course it isn’t that simple. When reinstalling the TCP/IP protocolsuite, it’s entirely plausible that you will receive an error message thatindicates “The Registry Subkey Already Exists.” The fix is obvious. To fully remove TCP/IP, you must remove the “embedded” Registry entries the protocol suite made during installation.

Experienced Microsoft Exchange users will immediately recognize what’sgoing on here. To completely remove Microsoft Exchange from a Windows2000 server, you must manually remove its related Registry entries. The samecan be said for TCP/IP.

The TCP/IP protocol suite and related services entries that should be removedfrom the Registry are as follows (note I’m assuming some services such as WINShave been installed, otherwise ignore the Registry references).

Connectivity utilitiesAssuming you have removed the TCP/IP protocol “component,” then youmust remove

HKEY_LOCAL_MACHINE\Software\Microsoft\NetBTHKEY_LOCAL_MACHINE\Software\Microsoft\TcpipHKEY_LOCAL_MACHINE\Software\Microsoft\TcpipCUHKEY_LOCAL_MACHINE\SYSTEM\CCS\Services\DHCPHKEY_LOCAL_MACHINE\SYSTEM\CCS\Services\LMHostsHKEY_LOCAL_MACHINE\SYSTEM\CCS\Services\’NetDriver’\Parameters\TcpipHKEY_LOCAL_MACHINE\SYSTEM\CCS\Services\NetBT


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 193

SNMP serviceAssuming you have removed the SNMP service, you must remove

HKEY_LOCAL_MACHINE\Software\Microsoft\RFC1156AgentHKEY_LOCAL_MACHINE\Software\Microsoft\SnmpHKEY_LOCAL_MACHINE\SYSTEM\CCS\Services\Snmp

TCP/IP network printing supportThese entries relate to the LPDSVC line printer components. You must remove

HKEY_LOCAL_MACHINE\Software\Microsoft\LpdsvcHKEY_LOCAL_MACHINE\Software\Microsoft\TcpPrintHKEY_LOCAL_MACHINE\SYSTEM\CCS\Services\LpdsvcSimple TCP\IP Services

The next two entries related to the simple TCP/IP service. You must remove

HKEY_LOCAL_MACHINE\Software\Microsoft\SimpTcpHKEY_LOCAL_MACHINE\SYSTEM\CCS\Services\SimTcp

DHCP Server serviceAssuming you have removed the HCP Server service, you must remove

HKEY_LOCAL_MACHINE\Software\Microsoft\DhcpMibAgentHKEY_LOCAL_MACHINE\Software\Microsoft\DhcpServerHKEY_LOCAL_MACHINE\SYSTEM\CCS\Services\DhcpServer

WINS Server serviceAssuming you have removed the WINS Server service, you must remove

HKEY_LOCAL_MACHINE\Software\Microsoft\WinsHKEY_LOCAL_MACHINE\Software\Microsoft\WinsMibAgentHKEY_LOCAL_MACHINE\SYSTEM\CCS\Services\Wins

DNS Server serviceAssuming you have removed the DNS Server service, you must remove

HKEY_LOCAL_MACHINE\Software\Microsoft\DnsHKEY_LOCAL_MACHINE\Software\Microsoft\WinsMibAgentHKEY_LOCAL_MACHINE\SYSTEM\CCS\Services\Wins

Few Windows 2000 Server professionals know about the required TCP/IP-related Registry housekeeping just detailed (removing Registry entries andso on). By following the preceding suggestions, you’ve set yourself apartfrom the 2000 pack!

TCP/IP Q & AAs promised, here are more specific TCP/IP troubleshooting-relatedquestions and answers.


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 194

Is TCP/IP correctly installed on my Windows 2000 Server?

This question isn’t as easy to answer as you might think, given thepossibilities of corrupt TCP/IP protocol stack components that won’teasily reveal themselves during the moment of need. However, you canalways stick to a few basics. First, ping the loopback address of 127.0.0.1.Assuming this worked and a reply occurred, you’re possibly home free. If it failed, however, observe the event logs and see what types of TCP/IP-related information were recorded in the system log. Second, ping anotheraddress (a host machine, another workstation, or such) and see if youreceive a reply. If so, yet another TCP/IP-related hurdle has been passed.

I receive an Error 53 when connecting to a server. What is it?

Error 53 is returned when host name resolution fails. That’s the bottom line.Possible resolution paths include confirming that the host name is spelledcorrectly (such as in the UNC format) when you attempt resolution (thisassumes of course that the other computer is running TCP/IP). Thepreceding advice is valid for a remote host located on the same or adifferent subnet. However, if you are crossing to another subnet, theresolution scenario becomes more complex. For mixed Windows 2000Server networks, you might also check that the WINS database containsthe same type of name-to-IP address mappings. Heck, if you’re really oldfashioned, it wouldn’t hurt to see if the LMHOSTS file contains theappropriate name-to-IP address mapping entries.

I’m relying on the LMHOSTS file for resolution. I’ve added a new namemapping, but I’m experiencing long connect times or timeout conditions.Why?

Supposing you have a large LMHOSTS file (of course this would only occur atthe enterprise level), your new entries may be too far down the list for speedyname resolution. Therefore, it is better for you to preload the entry with the#PRE command. This and other LMHOST file goodies were discussed earlier inthis chapter. You may also place your mapping higher in the LMHOSTS file.

I am having a difficult time connecting to a specific server. What gives?

Run the nbtstat -n to determine without doubt what names, including theserver you are seeking, are registered on the network. See the nbtstat sectionearlier in the chapter for more information.

I cannot connect to a foreign host when using host names, but I canconnect with IP addresses. Why?

Simply stated, you’re having problems with DNS-related resolution. Checkthat the DNS Server setup for the TCP/IP protocol is correct. Make sure thatthe DNS addresses are correct and in the proper order. If you are using theHOSTS file, make sure that the remote computer name is spelled correctlywith proper capitalization.


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 195

I’m communicating with a remote host, and the TCP/IP connection appears hung. I’ve confirmed this by observing TCP/IP-related errors in my error log. Why?

Using the netstat -a command, you can observe the port activity for TCP and UDP. A good TCP connection typically has 0 bytes in the send/receivequeues. Blocked data will reveal itself as a connection problem. If this is not the case, then you’re experiencing application delays or networkproblems. Don’t overlook the possibilities of application delay. There’snothing like a client/server database suffering from contention problems that are disguised and appear as TCP/IP connection problems. If you’re anexperienced network professional, you probably have similar epic stories.

When using Telnet, the banner on the title bar isn’t correct, but I’m sureI’ve specified the correct IP address. Why?

It’s important to verify that the DNS name and HOSTS table are current. Also,verify that no two computers have the same IP addresses on the same network.Imposter problems such as this are among the most difficult to track down and resolve. Using the arp -g command, you will see mapping from the ARPcache. This will display the Ethernet (MAC) address for the particular remotecomputer, possibly enabling you to delete the import entry with arp -d if youknow the erroneous MAC address. After undertaking these steps, try pingingthe remote host address, an action that forces an ARP. Finally, check the ARPtable again with arp -g.

I’ve received a message “Your default gateway does not belong to one of the configured interfaces.” How can I solve this?

Basically, the default gateway doesn’t appear to be on the same logicalnetwork as the computer’s network adapter. This can be determined andresolved by comparing the network ID portion of the default gateway’s IPaddress with the network ID(s) of any of the computer’s network adapters.

I can’t ping across a router when using TCP/IP as a RAS client. Why?

The RAS Phonebook is the culprit here. If you have selected “Use default gateway on remote network” under the TCP/IP settings in the RAS Phonebook, you will have this problem. The resolution is this: Using the route add command, add the route of the subnet you’re attempting to connect to.

Additional TCP/IP Troubleshooting ResourcesJust a short note to wrap up TCP/IP troubleshooting. Remember that the eventlogs such as System and Application will assist your troubleshooting efforts, as will Microsoft TechNet, the online Microsoft Knowledge Base found at www.microsoft.com; Microsoft Technical Support; and PerformanceMonitor. If you use Performance Monitor, make sure that you’ve installed the SNMP service on your Windows 2000 Server so that you have the full suite of TCP/IP-related object:counters.


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 196

SummaryThis chapter explored all the important topics of troubleshooting TCP/IP:

� Learning how to troubleshoot TCP/IP

� Understanding TCP/IP troubleshooting steps

� Understanding TCP/IP utilities and tools used for troubleshooting

� Selecting the best tool to solve your TCP/IP-related problem


4620-1 ch05.f.qc 10/28/99 12:00 PM Page 197

4620-1 ch05.f.qc 10/28/99 12:00 PM Page 198

Documents

DMC Cisco Networking Academy